A few weeks ago I shipped SecURL — a passive external security posture tool I'd been building on and off for longer than I care to admit. The pitch is simple: paste a URL, get a graded read of your site's full external security posture — headers, TLS, DNS/email trust, third-party surface, and passive intelligence signals, all ranked by what to fix first.
I wrote a short post about finally shipping it. But "I built a thing" isn't particularly useful to anyone. What's more useful is seeing the tool do something real.
So I ran it against 10 well-known public sites — UK government, public sector, major tech companies — and I'm publishing the raw results here. No editorialising, no cherry-picking. Just what the engine found.
The scan setup
All scans used quiet mode via the open-source npm package:
npx @ktbatterham/external-posture-core scan https://example.com --quiet
Scores are 0–100. Grades run A–F. These are heuristic assessments, not penetration tests or compliance attestations.
Results
| Site | Grade | Score | Critical | Warning |
|---|---|---|---|---|
| stripe.com | 🟢 A | 90/100 | 0 | 1 |
| github.com | 🟢 A | 90/100 | 0 | 2 |
| gov.uk | 🟡 B | 89/100 | 0 | 3 |
| hmrc.gov.uk | 🟡 B | 88/100 | 0 | 3 |
| linear.app | 🟡 B | 85/100 | 0 | 4 |
| bbc.co.uk | 🟡 B | 85/100 | 0 | 4 |
| nhs.uk | 🟡 B | 83/100 | 0 | 4 |
| netlify.com | 🟡 B | 83/100 | 0 | 6 |
| vercel.com | 🟡 B | 84/100 | 0 | 3 |
| theguardian.com | 🟠 C | 72/100 | 0 | 13 |
What the findings actually say
The near-universal gap: COOP and CORP
The two findings that appear almost everywhere are Cross-Origin-Opener-Policy (COOP) is missing and Cross-Origin-Resource-Policy (CORP) is missing. These are relatively modern isolation headers — part of the browser's cross-origin isolation model introduced to mitigate Spectre-class side-channel attacks. Neither is widely deployed yet, even by security-conscious organisations.
HSTS: not just "present" but "strong"
Gov.uk, HMRC, and NHS all set HSTS — which is good. But the engine flagged "HSTS could be stronger" for all three. A fully hardened HSTS header: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
CSP: present doesn't mean secure
The BBC and Guardian triggered "CSP contains risky allowances" — typically 'unsafe-inline', 'unsafe-eval', or wildcard sources. A CSP that allows unsafe-inline is significantly weaker than having no CSP. Netlify and NHS had no CSP at all.
The Guardian's C grade: 13 warnings
The Guardian's 72/100 reflects the operational complexity of a major news publisher — extensive third-party integrations, advertising dependencies, and a broad CDN surface. Advertisers bring JavaScript; JavaScript brings risk. The score reflects that tension honestly.
Why "no critical findings" isn't the whole story
A high score doesn't mean a site is secure. SecURL is a passive external posture tool — it reads what's observable from the outside. It doesn't authenticate, doesn't test application logic, and doesn't find vulnerabilities inside your application. Think of it as the read you'd get by acting as a diligent external observer.
Try it on your own site
👉 app.securl.online — free, no login, results in seconds.
npx @ktbatterham/external-posture-core scan https://yourdomain.com --fail-on critical
Drop your domain in the comments if you want me to take a look at the result.
Top comments (0)